Microsoft has unveiled the availability of hotpatch updates for business customers utilizing Windows 11 Enterprise 24H2 on x64 (AMD/Intel) systems, effective immediately. This innovative feature allows users to install operating system security updates seamlessly in the background, eliminating the need for device reboots.
Seamless Security Updates
Hotpatching enables Windows to deploy security updates by modifying the in-memory code of active processes, ensuring that installations occur without interrupting user activities. According to Microsoft, this capability is designed to enhance organizational security while minimizing disruptions. “With hotpatch updates, you can quickly take measures to help protect your organization from cyberattacks,” the company stated in a recent update. “You’ll first create a hotpatch-enabled quality update policy in Windows Autopatch through the Microsoft Intune console.”
Devices governed by this policy will receive hotpatch updates on a quarterly basis. Notably, for eight months of the year, users will not need to restart their devices for the security updates to take effect, streamlining the update process significantly.
Eligible Windows 11 Enterprise 24H2 devices will follow the same deployment schedule as standard updates, ensuring a consistent and reliable update experience.
To activate hotpatching on Windows client devices, a Microsoft subscription is required, including options such as Windows 11 Enterprise E3, E5, or F3, Windows 11 Education A3 or A5, or a Windows 365 Enterprise subscription. Additionally, a Windows 11 Enterprise 24H2 PC with the current baseline update must be installed, alongside other prerequisites such as an x64 AMD64 or Intel CPU and enabled Virtualization-based Security (VBS).
Microsoft Intune is essential for managing the deployment of hotpatch updates through a hotpatch-enabled Windows quality update policy. While hotpatch updates are currently in public preview for Arm64 devices, administrators can temporarily disable CHPE support by adjusting the HotPatchRestrictions registry key, ensuring eligibility until the feature is fully available:
Path: HKLMSYSTEMCurrentControlSetControlSession ManagerMemory Management
DWORD Key value: HotPatchRestrictions=1Once all prerequisites are satisfied, hotpatch updates can be enabled or disabled via the Microsoft Intune admin center by navigating to Devices > ‘Windows updates’ > ‘Create Windows quality update policy’. The system will automatically detect whether targeted devices qualify for hotpatch updates, further simplifying the management process.
Devices operating on Windows 10 and Windows 11 versions 23H2 and lower will continue to receive standard monthly security updates, ensuring that the ecosystem remains secure and productive.
Microsoft initially introduced Windows Hotpatch support to Windows Server Azure Edition core virtual machines, making it generally available in February 2022 for systems running Windows Server 2022 Datacenter: Azure Edition. The company has since expanded its testing to include Windows Server 2025 and Windows 11 24H2, with public previews commencing in late 2024.
